A hacker who phished the login credentials of LA County employees is believed to have compromised the personal data of over 750,000 people.
According to the Chief Executive Office of Los Angeles County, California, attackers stole the usernames and passwords from 108 County employees back in May 2016.
Some of these workers had individuals' client or patient information stored in their email accounts per their work responsibilities. As a result, the County launched an investigation into the incident to determine how many people the attack had affected.
Joel Sappell, who heads communications for the County, provides the answer in a press release published on 16 December:
"An exhaustive forensic examination by the County has concluded that approximately 756,000 individuals were potentially impacted through their contact with the following departments: Assessor, Chief Executive Office, Children and Family Services, Child Support Services, Health Services, Human Resources, Internal Services, Mental Health, Probation, Public Health, Public Library, Public Social Services and Public Works."
Why so long between the data breach and LA County warning potentially affected individuals? The County says that it was instructed by law enforcement to delay making any statements in fear that it might hinder a criminal investigation.
The information potentially stolen from those individuals is extensive. It consists of names, Social Security Numbers, payment card details, medical records, and other sensitive pieces of data.
In response, the County of Los Angeles is offering anyone affected by the breach with free identity monitoring. They can also contact a call center for more information about the incident.
At the same time, the County is taking a number of steps to find out what happened in the attack and prevent similar incidents from happening again.
First, it's cooperating with the District Attorney’s Cyber Investigative Response Team to bring justice to those actor(s) who perpetrated the attack. So far, local law enforcement has issued an arrest warrant for Austin Kelvin Onaghinor, a 37-year-old Nigerian national, and charged him with nine counts, including identity theft and unauthorized computer access.
1,000 email users at LA County are said to have received a phishing email from Onaghinor, with 108 county employee email accounts affected.
Which leads us to the second step: The County is working to defending against future phishing attacks by implementing safeguards such as new security measures and employee awareness training.
Per a FAQ page on the County's website:
"We are seeking to stay ahead of the rapidly evolving and continuous threats to our systems. The County remains vigilant in its efforts to protect confidential information and continues to strengthen the information privacy and security program to implement safeguards to prevent and/or reduce cyber-attacks."
One would hope that they are also considering introducing some form of multi-factor authentication to prevent unauthorised remote access to employee email accounts.
Whenever they come across an email from an unfamiliar sender, users should treat the email as malicious until proven otherwise. They can then set out to verify the legitimacy of the email by checking the URLs for their destinations and looking out for any indications of urgency or too-good-to-be-true offers. It'll only take a few seconds of their time, and it'll help prevent a major headache should the email prove to be fake.